Pages

Saturday, January 12, 2013

ICS-CERT Closes out two Basecamp Alerts and a Luigi Alert

Dale Peterson’s S4 Conference opens this weekend and it has
been given an appropriate starting nod from ICS-CERT; two of the systems
(Rockwell PLCs and CoDeSys Runtime) identified as being vulnerable in last year’s
meeting had their ICS-CERT Alerts closed out yesterday. And just for good
measure they also closed out an earlier alert for SpecView based upon a Luigi
reported vulnerability.

CoDeSys Advisory

This advisory
closes out two vulnerabilities in CoDeSys Runtime that were identified
by Reid Wightman at last year’s Project Basecamp. The improper access
control and directory traversal vulnerabilities could allow a relatively low
skilled attacker to use available exploit tools to remotely access the affected
systems “to compromise the availability, integrity, and confidentiality of the
device”; essentially own the system. A patch has been made available by CoDeSys
and Reid has validated the efficacy of the patch.

The bigger picture is troubling. Reid noted that the Runtime
system was used by a large number of other vendors in their product lines. When
ICS-CERT updated the original
Alert in October, CoDeSys had published a list of those vendors on their
web site. This advisory reports that the list is no longer there.

ICS-CERT reports that there are about 260 vendors that use
this vulnerable product as part of their systems. It would seem to me that some
could directly use the CoDeSys patch, but others would have to provide a patch
unique to their systems because of potential interactions. Wouldn’t it be
prudent for ICS-CERT to go to those 260 vendors and give them the now standard
45 days to develop mitigation measures for those affected systems? Surely
someone in ICS-CERT kept a copy of that list of vendors…..

Rockwell Advisory

This
advisory closes out the alert on the Rockwell PLCs based upon a presentation
given by Rubén Santamarta of IOActive at last year’s S4 confernece. According
to the original
alert Ruben identified seven vulnerabilities and this this advisory reports
8 vulnerabilities that a relatively low skilled attacker could exploit remotely
possibly resulting “in a denial-of-service (DoS) condition, controller fault,
or enable a Man-in-the-Middle (MitM) attack, or Replay attack” (pg 2).

The eighth vulnerability was subsequently discovered by
Rockwell. The eight are:

• Improper access control, Change
IP (CVE-2012-6439);

• Improper access control. Reset (CVE-2012-6442);

• Improper access control, Stop (CVE-2012-6435);

• Information exposure (CVE-2012-6441);

• Improper input validation, NIC (CVE-2012-6438);

• Improper input validation, CPU (CVE-2012-6436);

• Authentication bypass by capture,
Replay (CVE-2012-6440); and

• Improper authentication ,
Firmware Upload (CVE-2012-6437).

Rockwell has produced three separate patches for affected
systems and provided a list of temporary fixes that can be put into place while
waiting for an opportunity to patch the affected system (a nice move
considering the potential problems with system patching).

Rockwell made these patches available in July. Obviously
ICS-CERT was expecting something else (what isn’t clear) from Rockwell in
addition to those patches because it noted in this advisory that: “There have
been no updates from Rockwell since these patches were released.” (pg 1)

There is also a bigger picture issue here that was ignored
in this advisory. Reid Wightman noted on the Digital
Bond blog last year that the vulnerabilities identified by Ruben could
potentially affect systems from about 300 vendors because the vulnerabilities
were inherent to the EtherNet/IP protocols used for communications with the
PLCs, not unique to the Rockwell PLCs.

ICS-CERT acknowledged this in their updated
alert in February. It was not mentioned, however, in this advisory. Again,
I ask the question; is ICS-CERT going to give these 300 vendors their standard
45 day notice and then start publishing advisories?

SpecView Advisory

This
advisory for SpecView is based upon an uncoordinated disclosure
from Luigi. He describes the vulnerability as a “a classical directory traversal
attack through the usage of more than two dots”. ICS-CERT says that a skilled
attacker using Luigi’s proof-of-concept code could remotely effect an attack
that “could result in data leakage and file manipulation” (pg 1).

SpecView has produced an update that Luigi has verified fixes
the vulnerability.

About Me

I spent 15 years in the US Army as an Infantry NCO. After getting out of the Army I started working in the chemical industry, getting my BSc Chemistry degree while working as a technician. I spent 12 years working as a process chemist in a specialty chemical company. I'm now working as a QA Manager in a specialty chemical manufacturing facility.